The eight “recommended” guidelines announced in 2012 already contain the Top Four mandated in 2013.

In response to increasing ransomware and cybercriminal threats, Australia’s Cyber Security Centre (ACSC) intends to mandate the Essential Eight strategies to mitigate cybersecurity incidents rolled out in Feb 2017.

The Essential Eight is expected to apply to all non-corporate Commonwealth entities in addition to the already mandatory Top Four.

The ACSC recommends that all Australian organizations implement the Essential Eight mitigation strategies as a baseline to make it much harder for adversaries to compromise systems. This can be more cost-effective in terms of time, money and effort, it says, than having to respond to a large-scale cyber security incident.

Supportive of Essential Eight

One Australian cybersecurity firm is happy at the imminent mandate. According to the co-founder of Airlock Digital, David Cottingham: “It is heartening to see leading consumer enterprises pro-actively responding to the heightened risk environment by embracing the Essential Eight and developing a mature, risk-based approach to cybersecurity.”

The firm implements Application Control, the first of the Essential Eight strategies, in its solutions, just as many other cyber security frameworks—including the US Cybersecurity Maturity Model Certification (CMMC)—recommend Application Control. 

One regional health and wellness group that uses Airlock to safeguard data, Fitness & Lifestyle Group, is also supportive of the Essential Eight being made compulsory. The group’s Head of Information Security, Lee Roebig, said: “The protection of our staff and our members’ data is a priority for our business. The ACSC Essential Eight is extremely important to FLG, as it should be for any other global business.”

Roebig noted the importance of using multiple endpoint security controls and protecting endpoints from malicious software-based attacks. “Aside from achieving the number one ACSC security control and the associated benefits, we now have a really good grasp of what applications are being used across all our brands and businesses, and we can now ensure that only authorized programs are running.”